General terminology
Single Sign-On (SSO)
Single Sign-On (SSO) is the process of signing in to multiple services using a single set of credentials (as opposed to having separate credentials for different services). Using SSO, you can sign in to your identity provider and access all the configured services without having to sign in to them separately.
Learn more about Single Sign-On.
SAML
Secure Assertion Markup Language (SAML) is a protocol which is used to implement Single Sign-On (SSO). It is an XML based protocol which the identity provider and the service provider use to communicate.
Learn more about SAML-based SSO.
XML
eXtensible Markup Language (XML) is the language through which communication happens between identity provider and service provider in SAML-based SSO.
Learn more about XML.
Authentication
Authentication is the process of verifying a user's identity when the user tries to sign in. In basic authentication, the user will enter their username and password to their service provider (SP), and the SP will grant access to the user.
In SAML authentication, when the user tries to sign in, the identity provider (IdP) authenticates the user (by verifying their credentials) and sends the authentication response to the service provider (SP). The SP, after getting the response from the IdP, provides access to the user.
Single Logout (SLO)
Single Logout (SLO) is the process of simultaneously signing users out of all the apps they have signed in to using their identity provider (IdP). With SLO enabled, when a user signs out of Zoho, they will be signed out of the IdP as well. Similarly, when a user signs out of the IdP, they will be signed out of Zoho as well. For SLO to work, it must be supported by the IdP.
Top-Level Domain (TLD)
The Top-Level Domain (TLD) denotes the last part of your Zoho account URL. If your account URL is
https://accounts.zylker.com, then your TLD would be
.com. When it comes to Zoho, there are two types of TLDs:
generic TLD (gTLD) and
country code TLD (ccTLD). If you organization's data is stored in the US datacenter, you will have the gTLD
.com. If your organization's data is stored in your region-specific datacenter, you will have a ccTLD such as
.com.cn,
.in,
.com.au, or
.eu.
Identity provider terminology
Identity Provider (IdP)
An identity provider (IdP) maintains a directory of user credentials. When a user wants to access a service (in this case–Zoho), the IdP verifies the user's identity and sends the authentication information to the service provider.
Example: Okta, Microsoft Entra ID, Google Cloud Identity
Sign-In URL
A Sign-In URL is the IdP URL where the user will be redirected for authentication when they try to sign in from Zoho directly. It may also be called a Login URL in your IdP.
Sign-Out URL
A Sign-Out URL is the IdP URL where the sign out request will be sent when the user signs out from Zoho. It may also be called a Logout URL in your IdP. This URL can facilitate
Single Logout (SLO).
Change Password URL
The Change Password URL is the IdP URL where users will be redirected when they try to reset their Zoho password.
X.509 Certificate and Public Key
The X.509 certificate contains the public key used to verify whether the SAML response really comes from the IdP when the users try to sign in to the service provider (e.g., Zoho).
The certificate will be in the following format:
-----BEGIN CERTIFICATE-----
<
Public Key>
-----END CERTIFICATE-------
When configuring SAML in Zoho, you can either upload the X.509 Certificate directly or just copy the contents and paste it in the X.509 Certificate field.
Note: We accept only the following certificate formats: based-64 coded .cer, .crt, .cert, or .pem file. Make sure to upload the certificate in one of these formats.
The IdP Metadata is an XML file which contains information such as the Sign-in URL, Sign-out URL, and the X.509 certificate.
Service provider terminology
Service Provider (SP)
A service provider (SP) is a website that hosts services or applications for users. It relies on the IdP to authenticate a user and provide access to them. In this case, Zoho is the service provider.
The SP Metadata is an XML file which contains the SP Entity ID and ACS URL. You can download this file after configuring SAML in Zoho.
SP Entity ID (Issuer URL/ Identifier)
This is a unique identifier for the service provider (e.g., Zoho). It will vary based on your DC and can be found in the SP metadata file under the tag <md:EntityDescriptor>.
ACS URL (Reply URL/ Single Sign-On URL)
The Assertion Consumer Service (ACS) URL is the Zoho destination URL where the SAML response must be sent by the IdP after authenticating the user. You can find it in the metadata file under the tag <md:AssertionConsumerService>. The last (numeric) part of the ACS URL is your Zoho Organization ID (ZOID).
Note: Zoho only supports email address Name ID format, as specified in the metadata file "urn:oasis:names:tc:SAML:1.1:
nameid-format:emailAddress" .
Relay State URL and Zoho Service
When your users access Zoho from the IdP (i.e., in an IdP-initiated flow), they will be redirected to the relay state URL. With this, you can redirect users to a specific Zoho Service when they sign in. For example, if you set Cliq as the Zoho Service, your users will be redirected to Cliq when they sign in.
However, if your IdP wants you to specify the relay state URL when configuring SAML, you can enter it in the following format:
https://{
zoho service name}.zoho.{
your top-level domain}
Sign Out Response (Single Logout)
Sign out response is used to enable Single Logout (SLO) for your organization users. There are two types of Single Logout:
- SP-initiated SLO: When users sign out from Zoho, they will be automatically signed out of the IdP as well.
- IdP-initiated SLO: When users sign out from the IdP, they will be automatically signed out of Zoho as well.
For SLO to work, it must be supported by the IdP. Some IdP's support only one of these, some support both, and some support none. For the IdPs that are supported, the steps to enable single logout are mentioned in the
respective SAML help articles.
To enable single logout, you need to:
- Select the option Do you need a sign-out response? while configuring SAML in Zoho.
- Provide your IdP's sign-out URL in Zoho while configuring SAML.
- Provide the Zoho's sign-out URL in your IdP. Zoho's sign-out URL can be found in the metadata file under the tag <md:SingleLogoutService>.
Just in Time Provisioning
Just in Time (JIT) provisioning allows your users to get added to your Zoho organization when they sign in to Zoho for the first time through SAML. They will be added after validating the SAML response and their domain. If JIT is not enabled, you have to manually add your users to your Zoho organization before they can sign in with SSO.
Using JIT, you can also fetch and autofill some user information fields in Zoho (from the IdP). To do that, map the following Zoho user information fields with the corresponding ones from your IdP when you enable JIT:
- First Name
- Last Name
- Display Name
Related articles